clangsa+CTU analisys produces different resuls on big code base

[pskrgag]

I am trying to integrate clangsa with codechecker on our CI. We have quite a big project (about ~1000 TUs). The problem I see is that after random changes, clangsa starts reporting bugs in quite old files that we didn't touch for years.
This also happens when new annotations gets added (like ownership_returns). Some old reports disappear, some new appears (unrelated to added annotation)

I tried both ctu modes and results are the same. I also tried using -j1, which seems to help sometimes, but makes analisys too slow, which is unacceptable on CI

Bugs are real (which is amazing), but it makes life for developers quite hard, since they see reports in files they didn't even touch.

Unfortunately, I cannot provide a reproducer, since codebase is proprietary, but I wonder if it's known and there is a way to somehow workaround it.

[pskrgag]

Ok, I guess I did find a reproducer in open-source code:

My current enviroment

λ > clang-18 --version
Ubuntu clang version 18.1.8 (++20240731024944+3b5b5c1ec4a3-1~exp1~20240731145000.144)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

CodeChecker

---------------------------------------------------------------
Kind                 | Version
---------------------------------------------------------------
Base package version | 6.23.1
Package build date   | 2023-12-14T14:38
Git commit ID (hash) | 2a8fa6e711a4ff591280a79fe8798dee2507d984
Git tag information  | 6.23.1
---------------------------------------------------------------

1. qemu source on hash 7425b6277f12e82952cede1f531bfc689bf77fb1
2. ./configure --target-list=x86_64-softmmu,aarch64-softmmu
3. bear -- make -j
4. first run CC_ANALYZER_BIN='clangsa:/usr/bin/clang-18' CodeChecker analyze --ctu compile_commands.json -o reports1 --analyzers clangsa -d deadcode.DeadStores -e fuchsia.HandleChecker
5. Apply random attribute to random function

diff --git a/disas/disas-internal.h b/disas/disas-internal.h
index 84a01f126f..8b3d55adb3 100644
--- a/disas/disas-internal.h
+++ b/disas/disas-internal.h
@@ -15,6 +15,9 @@ typedef struct CPUDebug {
 } CPUDebug;
 
 void disas_initialize_debug_target(CPUDebug *s, CPUState *cpu);
+
+typedef int zx_handle_t;
+__attribute__((acquire_handle("Fuchsia")))
 int disas_gstring_printf(FILE *stream, const char *fmt, ...)
     G_GNUC_PRINTF(2, 3);

6. second run CC_ANALYZER_BIN='clangsa:/usr/bin/clang-18' CodeChecker analyze --ctu compile_commands.json -o reports --analyzers clangsa -d deadcode.DeadStores -e fuchsia.HandleChecker
7. Diff command show some new reports (really unrealated to added attribute)

λ > CodeChecker cmd diff -b reports1 -n reports --new
[INFO 2024-10-18 13:55] - Matching local report directories (--baseline): /home/paskripkin/Documents/sources/qemu/reports1
[INFO 2024-10-18 13:55] - Matching local report directories (--newname): /home/paskripkin/Documents/sources/qemu/reports
[MEDIUM] /home/paskripkin/Documents/sources/qemu/contrib/elf2dmp/main.c:549:13: Use of memory allocated with size zero [unix.Malloc]
    state = qemu_elf.state[0];
            ^

Found 1 defect(s) in main.c

[MEDIUM] /home/paskripkin/Documents/sources/qemu/contrib/elf2dmp/qemu_elf.c:103:31: Use of memory allocated with size zero [unix.Malloc]
            qe->state[cpu_nr] = nhdr_get_desc(nhdr);
                              ^

Found 1 defect(s) in qemu_elf.c